Introduction
This page shows the high-level status of OpenVPN 2.6 release. If you want all the details, see the Active Tickets by Milestone report.
Schedule
Too early to say, but we hope to get this done quicker than 2.4 and 2.5 - so, tentatively:
- all "must have" code in (except TLS handshake): End of December 2021
- RC candidates: Jan/Feb? 2022
- 2.6.0 release: March 2022
Features/fixes to include
must have
Task description | Assigned to | Status | Ticket
|
DCO (on Linux) | ordex, plaisthos, cron2 | alpha release | -
|
DCO (on Windows) | lev, d12fk, plaisthos | wip | -
|
update auth-user-pass docs | mattock | not started, discussion here
|
polish auth-token / auth-gen-token corner cases (not sending token after explicit-exit-notify from server, etc.) | cron2, plaisthos | pending | -
|
frame/buffer size handling | plaisthos | TBD | -
|
OpenSSL 3.0.0 support | plaisthos | mostly done 2021-11-12 | -
|
OpenSSL 3.0.0 xkey | selva | PR sent | -
|
TLS handshake replay protection (up for discussion) | plaisthos | not started | -
|
DDoS reflection hardening (rate-limiting) | plaisthos, cron2 | wip | -
|
DNS option rework (split DNS) - new option parsing | d12fk | concept being written | -
|
switch to 3.0.0 for Windows builds | lev, mattock | - | -
|
OpenSSL Config file handling ("where does an OpenVPN binary read OpenSSL config from, and why?") - windows build / private vcpkg? - unix builds - OpenVPN vs. system defaults vs. loading "local" OpenSSL 3.0 providers | lev, selva(?) | done 2021-11-24 | -
|
--nobind for --pull by default ("random client port by default") | plaisthos | done 2021-12-06 | #936, #877
|
sort out multiple-plugin auth mess | dazo | investigating, first patch | -
|
nice to have / wild ideas
Task description | Assigned to | Status | Ticket
|
implement kqueue on MacOS | plaisthos | not started | -
|
DNS option rework (split DNS) - windows backend | lev, d12fk | -
|
support TLS alerts | plaisthos | ??? | -
|
AUTH_TEMP_FAIL ("I can not handle you *now*, but please come back later") [auth-retry noninteract -> something for 3.x mostly, but 2.x must handle gracefully ] | ? | ? | -
|
test server that does --auth-user-pass and/or challenge stuff | cron2 (snair) | --auth-user-pass done, challenge missing |
|
Update OpenVPN PRF (move away from SHA1/MD5) | syzzer/plaisthos | done(?) |
|
maybe: fix radius-plugin - plugin is useful but not maintained very well | ??? | ??? |
|
DCO (on FreBSD) | ? | ? | -
|
test framework improvements (local "make check" crypto tests) | syzzer | - | -
|
unlikely to happen, keeping the list
inner VRF support? | ?? | ?? | ??
|
route monitoring (enable clients to react to network changes) | cron2 | not started | -
|
maybe: add PRF plugin interface | ??? | ??? |
|
maybe: add key exchange plugin interface (allows easily doing .e.g post quantum kex) | ??? | ??? |
|
maybe: add data channel separation (or, move to ovpn3, which already has this?) | ??? | ??? |
|
Dynamic routes ('route in ccd-file'), depends on netlink support | ??? | ??? |
|
transport plugin (primary use case: obfuscation) | ordex | wip |
|
tftp/wpad patch | jjk | patch on list, needs review and merge |
|
support TLS record splitting (like ovpn3) | syzzer | (started, but no patches available yet) | #554
|
support for multiple-protocol sockets (UDP/TCP) | ordex | wip | -
|
Support for multiple sockets (multi-port/multi-IP) | ordex | pending review | #556
|
improve control channel performance (further) - redo reliability layer, introduce windowing / scaling | syzzer | ??? |
|